uid administration (Long)

Sam Kimery kimery at orchestra.ecn.purdue.edu
Sat Mar 10 04:43:48 AEST 1990


Here at the Purdue Engineering Computer Network (ECN), we are using
software known as ACmaint, which was written in house.  In an attempt to
keep this brief, I'll give the "glossy" description of ACmaint. Those
wanting more detail may contact me (kimery at ecn.purdue.edu).

Currently ACmaint controls about 400 machines (all at ECN). There are
about 12,000 users with 90,000 accounts.  Each Fall about 2,000 new
accounts are added, with 1,000 (or so) accounts deleted each summer.

ACmaint uses a daemon on each machine under its control (TRANSD) and a
single daemon that controls a central database (DBD). ACmaint controls
all user accounts.  Some items are maintained as "common" to an login
(eg: uid, login, fullname, etc) and changes to these
cause changes on all machines the user has an account on.  Other items
are consider to be "per machine" and are stored seperately (eg: gid,
passwd, shell, homedir, etc).  Changes to the per-account information
are only transmitted to the machines effected. All changes occur
immediately (or reasonably close :-)).  Fun things like changing the
root password, which used to take 3+ hours to do, now consumes less than
1 minute of a "human" time, and is completed in less than 20 minutes
(network wide).

ACmaint also understands the things that it must do in order to
create/delete an account and several local "features."

There are several front-ends to ACmaint:

The most commonly used by standard users is through modified versions of
the standard commands (eg: passwd, chsh, chfn, etc) that contact the DBD
rather than update the local copy of /etc/passwd. These commands have
also been modified to allow the use of a new flag ('-n')
which causes the change to take place 'netwide'.  A good example would
be 'passwd -n barfoo'
which would cause the password for the user 'barfoo' to be changed on
every machine (under ACmaint's control, of course) - with the exception
of the '-n' flag, the command interacts
the same as the standard Unix /bin/passwd.

The administrative front end is known as AH (account handler) and allows
a system administrator to manipulate (create/destroy/change) accounts
from any machine on our network.
The current version of AH support the following commands:

	!               - execute shell command
	#               - a comment, the entire line is ignored
	=               - set a default value or assign a value to a variable
	?               - see help
	add             - add a user to new host(s)
	add_group       - add user(s) to a group
	change          - change user information by field
	change_group    - change group information by field
	copy            - copy a user from one host to other host(s)
	create          - create a new account
	create_group    - create a new group
	disable         - disable an account
	edit            - edit last command and re-execute
	enable          - enable a disabled account
	help            - print help
	log             - manipulate log files
	message         - set a message on an account
	quit            - quit, exit ah
	read            - execute commands from a file
	remove          - remove a user from host(s)
	remove_group    - remove user(s) from a group
	show            - show user information
	show_group      - show group information
	terminate       - remove a user from all hosts
	terminate_group - eliminate a group
	unmessage       - remove a message from an account

ACmaint has the ability to survive system crashes, and goes to great
length to assure that
no data loss occurs.

ACmaint has run or is running on the following architectures; sun3, sun4
(all), vax 780,
Gould NP-1, Gould 9080, CCI Tahoe, and Sequent Symmetry.

I'm working on the next version of ACmaint, which is expected to be
complete sometime
this summerish.  That will be the first publicly available version.

Again, for further details, please contact me (kimery at ecn.purdue.edu)

--Sam
------------------------------------------------------------------------
---------
                  Sam Kimery  -  Unix Systems Programmer
	     Engineering Computer Network  - Purdue University
    UUCP: pur-ee!kimery  ARPA: kimery at ecn.purdue.edu   BELL: 317-494-3473



More information about the Comp.unix.questions mailing list